Tom Uren

Foreign.

Patrick Gray

And welcome to another edition of Seriously Risky Business. My name's Patrick Gray. For those who are unfamiliar, Seriously Risky Business is the podcast we do here at Risky Biz HQ which is all about big picture side of stuff, government policy, intelligence, all of that sort of stuff. And yeah, we'll be checking in with Tom Uren in just a moment. He's our policy and intelligence editor and talking through the work that he's done with us this week, I'd like to thank, before we get started, I'd like to thank the William and Flora Hewlett foundation for supporting Tom's work with us. And also Lawfare Media, who syndicate Tom's Seriously Risky Business newsletter and publish it to their website. We also have a sponsor this week which is Authentic. That's authentic with a K at the end instead of a C. And they are a identity provider. So they're an open source IDP that you can run on prem. It handles air gapped environments really well. And yeah, just a different way to do things if you don't want to just cloudify your identity stacks. So yeah, you can find them by searching for Authentic with a K. Now, Tom, thank you for joining me. We've just been putting the finishing touches on your newsletter this week and you looked at two things in detail. The first was some work out of the Atlantic Council that looks at the, the zero day pipeline in the US government and tries to contrast that with the way the Chinese do things. And long story short, there's probably a few things the Americans could learn from the Chinese.

Tom Uren

Yeah, it was really interesting report. And the author, Winona de Sombre, she interviewed a whole heap of people, I guess in the industry, in national security, in intelligence. And she draws a really nice picture of the way the US system in particular works based on that, those interviews. And it's a whole lot of stuff that when I read I went, oh yeah, that makes sense. And she's got it footnoted with who that information is from and you know, is it backed up? So I thought it was a, that was a really good body of work there. And basically she describes a US system that is. And now this is my take from what she said is that it is based on like a insiders club. People who've worked for government have left government. They are building these highly, highly exquisite exploits that will never get found. And they're used to working in classified environments and putting up with skiffs and they're used to working through large prime contractors who have a whole heap of compliance burdens. And it describes a sort of acquisition funnel that is narrower, narrower, getting a really like diamonds, finding the jewels. And for people in the industry, it's like, oh, yeah, that's the way it should be. Because we want stuff that can be very, very stealthy. And there's some interesting stories in there about at times, the organizations that are buying these vulnerabilities will buy the entire back catalog because they're after something in particular, but they don't want to tell who selling them what they're after. And so there's all this, I guess you would call it waste built into the system because they value being stealthy so much. And then she contrasts that with the Chinese system, which is, you know, a huge, wide open aperture. We'll take anything. We don't really care if it's stealthy or the queen quality. If it suits our needs at the time, let's go for it. And sort of strategically, you can see that each of those suits the culture that they come from. And so up until now, it's probably, yeah, this is fine. We're doing things a different way and we're happy with that. But the problem, I guess, is that it's getting harder and harder to find.

Patrick Gray

Those sorts of exquisite hodae. Right. Yeah. I found this one very interesting because it does show that the Americans, you know, it's a lot of this work goes to the primes. There are, you know, just relying on my own knowledge here, there are a bunch of companies who've managed to cut through, who aren't primes, but kind of, you know, have cut through by being prime, like if that makes sense, you.

Tom Uren

Know, subcontractors or something like that.

Patrick Gray

Yeah, not even just subcontractors. Like companies that have been around long enough maybe started out as subcontractors and then learned to do all of the really hard compliance stuff and form the relationships and then sort of get into that, as you described it, a club. But that's a heavy lift and it takes a number of years. So once they're in the club, wow, the margins are great. It's awesome. They're making heaps of money. But it's to your point, the fact that they have to go through all of these pretty substantial hurdles to be able to contribute seems not ideal in some ways.

Tom Uren

Yeah, well, I think the effect is that there's a huge pool of people. Well, when I say huge, there's a huge pool of people compared to the ones who are in the club. And so if exploits are getting harder and harder to find, you Want to be looking as broadly as you can to be able to capture those ones that you really want. And the sort of Chinese system by contrast looks very, very broadly. And the report also identifies things like gaps. And people in the industry talk about a training valley of death where you get engineers who are trained up to a certain point, but they need to be refined, honed, they need extra training to be able to do the kind of work that is needed to develop these odes. And the Chinese system there's actually very explicit, here are schools that will teach you how to do this. Sort of. One of the eye opening statements in there is that they've got, they'll be given projects in university where the goal is to hack an American company as a university project. And that's like. And then they'll go directly from those kinds of schools into a company that specializes in, I guess we call it cyber espionage or cyber espionage contracting. So it's, it's very much a direct pathway and the sort of COVID nature and the club like nature of the US system just cuts out a whole lot of opportunities that we'd like to have in the future is the way I think about it. So she's got a whole lot of suggestions about how to sort of expand that aperture that I think make a lot of sense. And to me this report felt like a statement of the obvious, that once someone says it to you, you go, oh yeah, of course. I've just never really thought of it as a sort of contrast between systems and what that implies for what the US needs to do.

Patrick Gray

Yeah, I mean on one level I can understand why five eyes countries are so obsessed with being stealth and whatever. I mean there's good reasons for that. There's a culture around it as well. And for many operations that's going to be the right way to go. What I do wonder though is why we in the west, you know, and I'll just lump us in with the Americans for the purposes of this conversation. Why we don't loosen things up for certain types of exploits or exploits that are going to be used in certain types of use cases. Right. And the immediate example that jumps to mind is targeting organized crime. Right. So like in the United States you've got the FBI which fulfills the roles of like two agencies that we have here. We have two agencies that would handle that workload. So you've got the, the crime stuff and then you've got the sort of counterintelligence side of things here. That's asio. So you would imagine that for the counter espionage stuff you might want to be very stealthy and not let your exploits get snagged and making noise and you know, tipping people off to the fact that you're onto them. But when it comes to investigating a group doing mortgage fraud or even terrorists.

Tom Uren

Where you think they're not very sophisticated, like it can be high priority targets that are just not technically sophisticated, I think that that makes a lot of sense.

Patrick Gray

And they're not likely to, they're not likely to have a network of spies who are going to tip them into what's happening in the exploit dev marketplace even if that marketplace could be infiltrated. Right. So you know, and we saw the Americans flirt with this when they looked at possibly buying NSO group. And from what I heard from sources is that would have been the idea is to feed a lot of that stuff into agencies like FBI as opposed to like NSA who are going to do their own thing.

Tom Uren

Yeah. So it seems like the thinking is there that makes sense. I think there's a difference between thinking about it and actually getting it over the hurdle. And so, you know, maybe this report is one of those things that makes people sit back and go, oh yes, we need a broader, broader aperture. And there's some places where the being super covert. She also talks about them buyers not telling vendors what they actually want. And so it's a marketplace where I want to buy something but I can't.

Patrick Gray

Tell you what it is something.

Tom Uren

And so that kind of secrecy like for certain targets is unnecessary. And so I think that's the kind of thinking that needs to drive a broader funnel, I guess.

Patrick Gray

Yeah, it's funny, I mean this might seem like a bit of a tangent, but it'll get there in the end. This is what Donald Trump would call the weave. But this makes me think back to metadata collection that the NSA was doing when they had these rolling 90 day warrants where they could get all telco metadata into a database and then they would apply some oversight at the point that they queried those databases so they didn't have open slather once they had that data. And I understand that people are still uncomfortable with the idea that NSA would have that data to begin with. And you know, that's a reasonable argument. We're not going to get into that. But you know where it ended up is they're not allowed to do that anymore. So now they have to actually ask the telcos for metadata on numbers and that metadata can be returned to them so they can't just query it secretly. And I think that's the interesting part, right, is that most people who are not close observers of this space wouldn't understand that the reason NSA was collecting that data so that they could query it secretly in the first place, is because they don't want to tell a telco, hey, we want some data on this number, because that could turn into a problem for them. The target could be alerted. There might be the Chinese or the Russians might have someone at the telco. And that's a problem.

Tom Uren

Yeah, exactly. The thought process there is that you don't trust anyone who's not gone through a vetting process and it's just impossible to vet everyone at Atelco who might have access to the information that they're being giving to the nsa.

Patrick Gray

Yeah, I mean, in theory you've got your classified personnel who are supposed to deal with that, but like theory and practice don't always marry up in telco land, right?

Tom Uren

Yeah, yeah. Well, they'd be querying a database that other people would have access to and then there'd be a database and, you know, where do you draw the line and how secure does that database have to be? Yada yada, yada, yada yada. Yeah, and so you can think up reasons where you just never do that until. Until someone forces you to do something else, basically.

Patrick Gray

So there we go. Open it up. Non critical O day. Open it up everybody. Let's get an open marketplace happening. Tear down the clubs and see what happens. I guess now.

Tom Uren

Yeah, yeah, pretty much like one of the concrete suggestions is actually to have a U.S. agency. I guess that is, is the broker for, for zero days, like, you know, a public place where you can go and sell them instead of, you know, I know a person who knows a person.

Patrick Gray

The US Department of Ownage. I love it. The US Department of Pone. Could be great. Now the other thing that we're going to talk about now is a piece you wrote about the American bombing run on Iran against Iranian NUC nuclear facilities and the Chairman of the Joint Chiefs of Staff announcing that Cyber Command supported this operation. There's been a bunch of speculation out there about what that could look like. I indeed said on the show yesterday that it was probably they bricked some communications or something. You are predicting or you're speculating that it was something even more boring than that, Tom.

Tom Uren

Well, so there's a Defense Scoop article and it kind of lays out the possibilities and the one everyone loves and to be honest, I also love is the, you know, hacking air defence systems so that you Disrupt them or spoof them or take them down so that your planes can sneak in, you know, unscathed. That's pretty unlikely. And in fact Axios reports that the Israeli Air Force actually went and destroyed Iranian air defence systems in the lead up to the US strike to make extra sure. And that makes a heap more sense. But defence scoop, one of the sort of theories is that it's something akin to a cyber escort package. Now I'm going to take a risk here and I'm going to read out that para and I just hope that everyone doesn't fall asleep. And so that includes backups and fail safes as well as ensuring the Department of Defense's information network is up and running to enable communication. Defensive cyber protection teams would likely ensure infrastructure was up and running and protected from any adversary intrusions or disruptions. And so it's a very, very mundane job.

Patrick Gray

Yeah, so basically like the possibility here is they might have had someone sitting in front of a corelight sensor and monitoring some EDR logs as this was happening, you know, which, I mean it just sounds so unbelievably boring, but you can still imagine like a senior defence leader calling it out because look, we did cyber and they don't have to go into detail. So doing cyber in this case could just mean keeping an eye on the network.

Tom Uren

Yeah, well the whole press conference was about projecting the impression that the US could bring together a whole range of different capabilities and have a result that no one else can counter. So they talked about transportation command, Space Command, Space Force, European Command, Central Command, and the orchestration of all these different assets at different times in radio silence. So it's very much, if we could mention anyone, we're going to mention that, that command or that team or whatever. So that was the vibe of the whole press conference.

Patrick Gray

I'm sceptical on the air defence thing as well because I mean, after a few days it looked like the Israelis could have been flying, you know, dropping bombs out of, out of the windows of cessn.

Tom Uren

If you had that capability. The time to use it is actually the very first sorties. And then you use it then and you destroy air defense because the air defense has been disabled, like you actually physically destroy it. So there are Iranian state media reports that that is what the Israelis did. But again like it could be state media saying that just to sort of excuse their poor performance or it was magical hacking rather than we're just terrible. And so the timing for Cyber Command doesn't make sense as well in the context of this conflict. So yeah, unfortunately, I'm for the boring and disappointing answer, and I can claim.

Patrick Gray

Credit for the headline that you whacked on that one in the end, which is this is not the cyber War we were promised. Because it really isn't. And for those who want to read more details about all of this, you can head over to Risky Biz and click on the Newsletters tab or square and subscribe to all of our newsletters and get Tom's wonderful Digest once a week, in addition to the three news bulletins that we publish written by Catalyn Kimpanu. But Tom, we're going to wrap it up there, mate. Thank you so much for joining me to talk through your newsletter edition this week. Great stuff and we'll do it all again next week.

Tom Uren

Thanks, Patrick.